DHS has few critical cyber security announcement few days ago. Some technical articles may bring the practitioner attentions. Do you read technical article “Threats to Precision Agriculture” yet? My personal opinion is that the prediction of cyber attack scenario not only happen in agriculture. It may have happen in aero industry. Real-time kinematic (RTK) positioning is a technique used to enhance the precision of position data derived from satellite -based systems. The GPS system is now considered a “crosssector dependency” for the Department of Homeland Security’s (DHS) 16 designated critical infrastructure sectors. GNSS is vulnerable to jamming and natural interference. When GNSS is denied, PNT information can be seriously affected in ways that increase risks to the safety of navigation. It is hard to avoid Microsoft operating system integrate to critical system infrastructure nowadays. Microsoft formalized Patch Tuesday schedule and zero day are the concerns of the world includes airline industry. What do you think? It looks that virtual patching service is the first choice in all IT industry coming year.
Category Archives: Public safety
SIEMENS Vulnerabilities in SIMATIC STEP 7 (TIA Portal) and SIMATIC WinCC (TIA Portal) – Aug 2018
SIMATIC WinCC is a supervisory control and data acquisition (SCADA) and human-machine interface system from Siemens. Due to threats to actors’ interests, manufacturers have recently paid close attention to cybersecurity attacks. Hackers use Microsoft’s operating system entry point to become a channel for SCADA system facilities network attacks. Even Though Microsoft Office also pulled into SCADA security concerns! As far as we know, the new version of BLACKENERGY malware threat exploit an unpatched Office 2013 form the attack. From technical point of view, malware is hard to survival in 64 bit OS environment. However 32-bit operating system is common in SCADA related industries. So, it requires a longer time to do the design enhancement. The SCADA vendor found 2 items of Vulnerabilities in SIMATIC STEP 7 (TIA Portal) and SIMATIC WinCC (TIA Portal) on Aug 2018 (see below diagram). So, Tenable and Siemens partner to secure critical infrastructure & reduce cybersecurity risks. Please refer to the following URL:
Are 64-bit OS malware proof?
Digital Defense – about social communication media or email communications
FBI Tech Tuesday: Building a Digital Defense Against Facebook Messenger Frauds
A vulnerability has been identified in IEC 61850 system configurator – CVE-2018-4858
When a lot of cyber security Guru focusing the nuclear power and critical facilities. It looks they also requires to includes the power substation. From techincal point of view, control central will be hardening both console and network environment. But how about the configuration console for substation? Does it allow install the configuration software (IEC 61850 system configurator) on notebook for outdoor work? Siemens IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC products are affected by a security vulnerability which could allow an attacker to either exfiltrate limited data from the system or to execute code with operating system user permissions. Cyber security attack will be exploited different channels. But the major pathway is the product vulnerabilities.
Official announcement by Siemens shown as below:
https://cert-portal.siemens.com/productcert/pdf/ssa-159860.pdf
Status update: 30th Jul 2018
A vulnerability confirm by vendor that a Denial-of-Service occurs in EN100 Ethernet Communication Module and SIPROTEC 5 relays.
Official announcement by Siemens shown as below:
https://cert-portal.siemens.com/productcert/pdf/ssa-635129.pdf
Defending the Power Grid From Hackers – Jul 2018
Cyber defense facilities today are very strong and effecive to fight against different of cyber attacks. Even though stealer deploy DNS steal technique to exfiltrate the data from a firm. Anti cyber technology have their way to quarantine and deny such activities. Perhaps you said the IoT devices attack that wreaked hovac worldwide. It is hard to avoid. But it still have resolution. Cyber security vendor deploy network discover facitiles. No matter Dot one X or non Dot one X devices they can find. So it looks perfect, no any concern any more. But why we still have cyber attack incident happens today?
The Next Cyber Battleground
Sound scary! The Next Cyber Battleground
Expert predict that digital infrastructure is the high target to receive cyber attack. That is even through smart City, manufacturing automation, geospatial data system,..etc.
Some experts believe cyber incidents go underreported in the nuclear sector. The reason is that the Nuclear Regulatory Commission only requires the reporting of incidents that affect the safety, security functions, or emergency preparedness of the plant. May be it do not want to caused a public panic.
We heard cyber attack to SCADA in frequent. Whether SCADA contains design weakness or there is other factor?
The SCADA Data Gateway (SDG) is a Windows™ application used by System Integrators and Utilities to collect data from OPC, IEC 60870-6 (TASE.2/ICCP), IEC 61850, IEC 60870-5, DNP3, or Modbus Server/Slave devices and then supplies this data to other control systems supporting OPC, IEC 60870-6 (TASE.2/ICCP) Client, IEC 60870-5, DNP3, and/or Modbus Client/Master communication protocols.
The core component supporting SCADA infrastructure build by Microsoft products in common. And therefore the attack surface will be divided in several ways. We understand that Nuclear facilties do not provided any public web portal. So direct attacks looks not possible. However Microsoft office products has full market coverage in the world. It is rare that people not using MS-Word for word processing work, right? As a matter of fact, hacker now transform MS office product become a cyber attack media. They re-use former MS office vulnerabilities. It has possibilities execute the Infiltration. From technical point of view, even though attacker send out the RTF format of file. It is also workable.
Remark: RTF is a text file format used by Microsoft products, such as Word and Office. RTF, or Rich Text Format, files were developed by Microsoft in 1987 for use in their products and for cross-platform document interchange. RTF is readable by most word processors.
Quote:
Hackers are using Microsoft Word documents (or more specifically, RTF files listed with a “.doc” extension) to trick people into opening the files.
On this discussion objective, I am not going to drill into any technical details. But our aim would like to provides hints see whether it can enrich the security awareness.
Below details common bad mailicious MS-word documents checklist for reference.
722154A36F32BA10E98020A8AD758A7A | MD5 | FILENAME:CV Controls Engineer.docx |
243511A51088D57E6DF08D5EF52D5499 | MD5 | FILENAME:CV Control Engeneer.docx |
277256F905D7CB07CDCD096CECC27E76 | MD5 | FILENAME:CV Jon Patrick.docx |
4909DB36F71106379832C8CA57BA5BE8 | MD5 | FILENAME:Controls Engineer.docx |
4E4E9AAC289F1C55E50227E2DE66463B | MD5 | FILENAME:Controls Engineer.docx |
5C6A887A91B18289A70BDD29CC86EBDB | MD5 | FILENAME:High R-Value Energy.docx |
6C3C58F168E883AF1294BBCEA33B03E6 | MD5 | FILENAME:CV_Jon_Patrick.docx |
78E90308FF107CE38089DFF16A929431 | MD5 | FILENAME:CV Jon Patrick.docx |
90514DEE65CAF923E829F1E0094D2585 | MD5 | FILENAME:CV_Jon_Patrick.docx |
C1529353E33FD3C0D2802BB558414F11 | MD5 | FILENAME:Build Hydroelectric Turbine.docx |
CDA0B7FBDBDCEF1777657182A504283D | MD5 | FILENAME:Resume_Key_And_Personal.docx |
DDE2A6AC540643E2428976B778C43D39 | MD5 | FILENAME:CV_Jon_Patrick.docx |
E9A906082DF6383AA8D5DE60F6EF830E | MD5 | FILENAME:CV_Jon_Patrick.docx |
038A97B4E2F37F34B255F0643E49FC9D | MD5 | FILENAME:Controls Engineer (2).docx |
31008DE622CA9526F5F4A1DD3F16F4EA | MD5 | FILENAME:Controls Engineer (4).docx |
5ACC56C93C5BA1318DD2FA9C3509D60B | MD5 | FILENAME:Controls Engineer (7).docx |
65A1A73253F04354886F375B59550B46 | MD5 | FILENAME:Controls Engineer (3).docx |
8341E48A6B91750D99A8295C97FD55D5 | MD5 | FILENAME:Controls Engineer (5).docx |
99AA0D0ECEEFCE4C0856532181B449B1 | MD5 | FILENAME:Controls Engineer (8).docx |
A6D36749EEBBBC51B552E5803ED1FD58 | MD5 | FILENAME:Controls Engineeer.docx |
3C432A21CFD05F976AF8C47A007928F7 | MD5 | FILENAME:Report03-23-2017.docx |
34A11F3D68FD6CDEF04B6DF17BBE8F4D | MD5 | FILENAME:corp_rules(2016).docx |
141E78D16456A072C9697454FC6D5F58 | MD5 | FILENAME:corp_rules(2016).docx |
BFA54CCC770DCCE8FD4929B7C1176470 | MD5 | FILENAME:invite.docx |
848775BAB0801E5BB15B33FA4FCA573C | MD5 | FILENAME:Controls Engineer.docx |
MD5 | FILENAME:corp_rules(2016).docx | |
MD5 | FILENAME:corp_rules(2016).docx | |
MD5 | FILENAME:invite.docx |
Happy hunting – bye!
New version of black energy cyber attack target Microsoft OLE product design weakness
Ukrainian intel agency has claimed it stopped a cyber attack against a chlorine plant that was launched using the notorious VPNFilter malware. Perhaps the world focusing VPN filter malware spreading and infection. We known earlier last month that such attack targets are the low end wireless router and network access storage (NAS).
However, from my point of view is that the main stream of the cyber attack so far happening not limit to this incident. The fact is that lure the attacker interest to do the re-engineering of their attacks seems maintain on Microsoft office product. What is the key component? Yes, it is OLE objective linking and embedding. Or you may say, if I am following Microsoft patch Tue remediation schedule it will be safe. It looks correct. But normal RTF file, it was able to avoid detection by many security products. And therefore attacker conduct similar hacking technology to execute cyber attack in Ukrainian. The political situation of Ukrainian given a never ending story. Meanwhile the world never without using MS office document!
Reference:
Headlines news – Ukraine claims it blocked VPNFilter attack at chemical plant : https://www.theregister.co.uk/2018/07/13/ukraine_vpnfilter_attack/
My speculation on how Cisco (Talos) found the malware (VPNFilter malware)
My speculation on how Cisco (Talos) found the malware (VPNFilter malware).
The world cup 2018 – malicious game website and phishing email also involved in this competition. This like malware transformation of football shooting.
THE 2018 WORLD CUP lure hacker interest, a breeding ground for hackers. The phishing campaign linked to the start of the FIFA World Cup where cyber-criminals attempt to lure would-be victims into downloading. For instance, Games, email and related information. Such download contain malware and let the downloader become cyber attack victim.
How do you defend against this football (malware)? 1. Use and maintain antivirus software. 2. Keep software and operating systems up-to-date. 3. Be wary of downloading files from websites. 4. Think before you Click!
Headline News :
The book of Revelation – OPC UA will be the target for next phase of SCADA system attack.
Preface
A fascinating, unusual story which creates an eerie atmosphere. The security report issued by Kaspersky on 10th May 2018 driven my interest to do this study. So the report equivalent to enlightenment my conception.
Background
A tremendous potential cyber attack found by Cisco. Thereby it announced to public last week. They reveal this unknown story to the world. And therefore the major security focus shift to a new malware. As a result, we know the technical specifications of malware so called “VPNFilter”. However, similar cyber attacks was encountered in past. A similarity of those cyber attacks are focusing the public facilities especially nuclear power facility , gas and water supply system as the major target. We bring your attentions today for OPC UA (Object Linking and Embedding for Process Control Unified Automation) to OPC Unified Architecture (OPC UA) system vulnerabilities. Those vulnerabilities are not running in high profile. But it requires technical people for attention.
About OPC & OPC Unified Architecture
OPC is an industry standard, it defines methods for exchanging realtime automation data between PC-based clients using Microsoft operating systems. The organization that manages this standard is the OPC Foundation. OPC Unified Architecture (OPC UA) is a machine to machine communication protocol for industrial automation developed by the OPC Foundation.
Overview of OPC Unified Architecture
Kaspersky technical findings
Referring to technical report announced by Kaspersky on 10th May 2018. The key critical design flaws are shown as below:
- Quote: OPC UA was designed to support data transport for two data types: the traditional binary format (used in previous versions of the standard) and SOAP/XML. Today, data transfer in the SOAP/XML format is considered obsolete in the IT world and is almost never used in modern products and services. The prospects of it being widely used in industrial automation systems are obscure, so we decided to focus our research on the binary format.
………………………….
It turned out that part of the network services in the system we analyzed communicated over the OPC UA protocol and most executable files used a library named “uastack.dll”. ………
…………After developing a basic set of mutations (bitflip, byteflip, arithmetic mutations, inserting a magic number, resetting the data sequence, using a long data sequence), we managed to identify the first vulnerability in uastack.dll. It was a heap corruption vulnerability, successful exploitation of which could enable an attacker to perform remote code execution (RCE), in this case, with NT AUTHORITY/SYSTEM privileges.
Hints – See whether below assembly language source code (call OpcUa-memory_Alloc@4) can provides any idea to you in this regard.
2. In the process of analyzing the application, found that it used the XmlDocument function, which was vulnerable to XXE attacks for .NET versions 4.5 and earlier.
Hints: What is XXE attack? Below picture shown traditional XXE attack for reference.This XXE attack so called billion laughs attack .
Remark: By disabling DTDs, application developers are also able to strengthen the parser’s ability to protect itself against DoS (denial of service) attacks.
My observation:
Upon inspection, the OPC UA requires the following library files.
libeay32.dll, ssleay32.dll, and uastack.dll
The above library file (ssleay32.dll) belongs to OpenSSL 1.0.2j. It was configured and built with the options no-idea, no-mdc2, no-ntt, and no-rc5 to avoid patent issues. If bugs are found in the version of OpenSSL. You may compile and use your own version because this is a open source program.
Reminder: Kaspersky Labs identified 17 zero-day vulnerabilities in OPC Foundation open source code. For more details about the report, please refer below url for reference.
https://opcfoundation.org/news/press-releases/review-kaspersky-labs-report-confirms-opc-foundations-transparent-open-source-opc-ua-implementations-strategy-improves-security/
— End —
Vulnerabilities – Waiting for vendor response – 23rd May 2018
The cyber attacks are wreak havoc today. In order to protect the power facility, water supply, Gas supply and petroleum industry daily operations. The SCADA control system vendor implemented security control in their system infrastructure. However when vulnerabilities encounter on their products. The remediation step of the vendor response sometimes not in effecient. For instance, Advantech one of the key player of SCADA WebAccess. But it lack of motivation to drive the remedation solution on their products. There is no official announcement how to do the remedation on their products so far. Vulnerabilities are shown as below:
CVE-2018-7499 – buffer overflow vulnerabilities which may allow an attacker to execute arbitrary code
CVE-2018-7503 – a path transversal vulnerability which may allow an attacker to disclose sensitive
CVE-2018-7505 – information on the target TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code.
CVE-2018-10591 – allow an attacker can create a malicious web site, steal session cookies, and access data of authenticated users.
CVE-2018-10590 – exposure vulnerability through directory listing has been identified, which may allow an attacker to find important files that are not normally visible.
CVE-2018-10589 – WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7497 – several untrusted pointer dereference vulnerabilities have been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-8845 – a heap-based buffer overflow vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7495 – an external control of file name or path vulnerability has been identified, which may
CVE-2018-8841- allow an attacker to delete files.
an improper privilege management vulnerability may allow an authenticated user to modify files when read access should only be given to the user.
CVE-2018-7501 – several SQL injection vulnerabilities have been identified, which may allow an attacker to disclose sensitive information from the host.
Siemens – (CVE-2018-4832): Siemens Security Advisory by Siemens Product 18th Apr 2018
The Gas and Petroleum industries requires automation to enhance their overall operation in last decade. And therefore the automation system setup requires Supervisory control and data acquisition (SCADA). We noticed that hackers targeted SCADA system installed in nuclear power facilities. We are living in digital age and therefore electricity power supply similar air and water. So system automation hardware vendor has responsibility to hardening their system design. Siemens found vulnerability in their Automation Technology Process control systems (PCS 7) on April last month. For more details, please refer below url for reference.
Vulnerability details
https://cert-portal.siemens.com/productcert/pdf/ssa-348629.pdf
My Speculation:
1. A denial of service vulnerability exists in the remote procedure call (RPC) facility due to a failure in communicating with the NTLM security provider when performing authentication of RPC requests. An anonymous attacker could exploit the vulnerability by sending a specially crafted RPC authentication request to a computer over the network. An attacker who successfully exploited this vulnerability could cause the computer to stop responding and automatically restart.
2. GetMachineName ( ) copies machine name to a fixed 32 byte buffer causes problem occurs.